core/pkgs/by-name/op/openssl/default.nix

336 lines
12 KiB
Nix
Raw Permalink Normal View History

2024-05-02 00:46:19 +00:00
{ lib, stdenv, fetchurl, buildPackages, perl, coreutils, writeShellScript
, makeWrapper
, withCryptodev ? false, cryptodev ? null
, withZlib ? false, zlib
, enableSSL2 ? false
, enableSSL3 ? false
, enableKTLS ? stdenv.isLinux
, static ? stdenv.hostPlatform.isStatic
# path to openssl.cnf file. will be placed in $etc/etc/ssl/openssl.cnf to replace the default
, conf ? null
, removeReferencesTo
, testers
}:
# Note: this package is used for bootstrapping fetchurl, and thus
# cannot use fetchpatch! All mutable patches (generated by GitHub or
# cgit) that are needed here should be included directly in Nixpkgs as
# files.
let
common = { version, hash, patches ? [], withDocs ? false, extraMeta ? {} }:
stdenv.mkDerivation (finalAttrs: {
pname = "openssl";
inherit version;
src = fetchurl {
url = "https://www.openssl.org/source/${finalAttrs.pname}-${version}.tar.gz";
inherit hash;
};
inherit patches;
postPatch = ''
patchShebangs Configure
'' + lib.optionalString (lib.versionOlder version "1.1.1") ''
patchShebangs test/*
for a in test/t* ; do
substituteInPlace "$a" \
--replace /bin/rm rm
done
''
# config is a configure script which is not installed.
+ lib.optionalString (lib.versionAtLeast version "1.1.1") ''
substituteInPlace config --replace '/usr/bin/env' '${buildPackages.coreutils}/bin/env'
'' + lib.optionalString (lib.versionAtLeast version "1.1.1" && stdenv.hostPlatform.isMusl) ''
substituteInPlace crypto/async/arch/async_posix.h \
--replace '!defined(__ANDROID__) && !defined(__OpenBSD__)' \
'!defined(__ANDROID__) && !defined(__OpenBSD__) && 0'
''
# Move ENGINESDIR into OPENSSLDIR for static builds, in order to move
# it to the separate etc output.
+ lib.optionalString static ''
substituteInPlace Configurations/unix-Makefile.tmpl \
--replace 'ENGINESDIR=$(libdir)/engines-{- $sover_dirname -}' \
'ENGINESDIR=$(OPENSSLDIR)/engines-{- $sover_dirname -}'
'';
outputs = [ "bin" "dev" "out" "man" ]
++ lib.optional withDocs "doc"
# Separate output for the runtime dependencies of the static build.
# Specifically, move OPENSSLDIR into this output, as its path will be
# compiled into 'libcrypto.a'. This makes it a runtime dependency of
# any package that statically links openssl, so we want to keep that
# output minimal.
++ lib.optional static "etc";
setOutputFlags = false;
separateDebugInfo =
!stdenv.hostPlatform.isDarwin &&
!(stdenv.hostPlatform.useLLVM or false) &&
stdenv.cc.isGNU;
nativeBuildInputs =
lib.optional (!stdenv.hostPlatform.isWindows) makeWrapper
++ [ perl ]
++ lib.optionals static [ removeReferencesTo ];
buildInputs = lib.optional withCryptodev cryptodev
++ lib.optional withZlib zlib;
# TODO(@Ericson2314): Improve with mass rebuild
configurePlatforms = [];
configureScript = {
armv5tel-linux = "./Configure linux-armv4 -march=armv5te";
armv6l-linux = "./Configure linux-armv4 -march=armv6";
armv7l-linux = "./Configure linux-armv4 -march=armv7-a";
x86_64-darwin = "./Configure darwin64-x86_64-cc";
aarch64-darwin = "./Configure darwin64-arm64-cc";
x86_64-linux = "./Configure linux-x86_64";
x86_64-solaris = "./Configure solaris64-x86_64-gcc";
powerpc64-linux = "./Configure linux-ppc64";
riscv64-linux = "./Configure linux64-riscv64";
}.${stdenv.hostPlatform.system} or (
if stdenv.hostPlatform == stdenv.buildPlatform
then "./config"
else if stdenv.hostPlatform.isBSD
then if stdenv.hostPlatform.isx86_64 then "./Configure BSD-x86_64"
else if stdenv.hostPlatform.isx86_32
then "./Configure BSD-x86" + lib.optionalString stdenv.hostPlatform.isElf "-elf"
else "./Configure BSD-generic${toString stdenv.hostPlatform.parsed.cpu.bits}"
else if stdenv.hostPlatform.isMinGW
then "./Configure mingw${lib.optionalString
(stdenv.hostPlatform.parsed.cpu.bits != 32)
(toString stdenv.hostPlatform.parsed.cpu.bits)}"
else if stdenv.hostPlatform.isLinux
then if stdenv.hostPlatform.isx86_64 then "./Configure linux-x86_64"
else if stdenv.hostPlatform.isMips32 then "./Configure linux-mips32"
else if stdenv.hostPlatform.isMips64n32 then "./Configure linux-mips64"
else if stdenv.hostPlatform.isMips64n64 then "./Configure linux64-mips64"
else "./Configure linux-generic${toString stdenv.hostPlatform.parsed.cpu.bits}"
else if stdenv.hostPlatform.isiOS
then "./Configure ios${toString stdenv.hostPlatform.parsed.cpu.bits}-cross"
else
throw "Not sure what configuration to use for ${stdenv.hostPlatform.config}"
);
# OpenSSL doesn't like the `--enable-static` / `--disable-shared` flags.
dontAddStaticConfigureFlags = true;
configureFlags = [
"shared" # "shared" builds both shared and static libraries
"--libdir=lib"
(if !static then
"--openssldir=etc/ssl"
else
# Move OPENSSLDIR to the 'etc' output for static builds. Prepend '/.'
# to the path to make it appear absolute before variable expansion,
# else the 'prefix' would be prepended to it.
"--openssldir=/.$(etc)/etc/ssl"
)
] ++ lib.optionals withCryptodev [
"-DHAVE_CRYPTODEV"
"-DUSE_CRYPTODEV_DIGESTS"
] ++ lib.optional enableSSL2 "enable-ssl2"
++ lib.optional enableSSL3 "enable-ssl3"
# We select KTLS here instead of the configure-time detection (which we patch out).
# KTLS should work on FreeBSD 13+ as well, so we could enable it if someone tests it.
++ lib.optional (lib.versionAtLeast version "3.0.0" && enableKTLS) "enable-ktls"
++ lib.optional (lib.versionAtLeast version "1.1.1" && stdenv.hostPlatform.isAarch64) "no-afalgeng"
# OpenSSL needs a specific `no-shared` configure flag.
# See https://wiki.openssl.org/index.php/Compilation_and_Installation#Configure_Options
# for a comprehensive list of configuration options.
++ lib.optional (lib.versionAtLeast version "1.1.1" && static) "no-shared"
++ lib.optional (lib.versionAtLeast version "3.0.0" && static) "no-module"
# This introduces a reference to the CTLOG_FILE which is undesired when
# trying to build binaries statically.
++ lib.optional static "no-ct"
++ lib.optional withZlib "zlib"
++ lib.optionals (stdenv.hostPlatform.isMips && stdenv.hostPlatform ? gcc.arch) [
# This is necessary in order to avoid openssl adding -march
# flags which ultimately conflict with those added by
# cc-wrapper. Openssl assumes that it can scan CFLAGS to
# detect any -march flags, using this perl code:
#
# && !grep { $_ =~ /-m(ips|arch=)/ } (@{$config{CFLAGS}})
#
# The following bogus CFLAGS environment variable triggers the
# the code above, inhibiting `./Configure` from adding the
# conflicting flags.
"CFLAGS=-march=${stdenv.hostPlatform.gcc.arch}"
];
makeFlags = [
"MANDIR=$(man)/share/man"
# This avoids conflicts between man pages of openssl subcommands (for
# example 'ts' and 'err') man pages and their equivalent top-level
# command in other packages (respectively man-pages and moreutils).
# This is done in ubuntu and archlinux, and possiibly many other distros.
"MANSUFFIX=ssl"
];
enableParallelBuilding = true;
postInstall =
(if static then ''
# OPENSSLDIR has a reference to self
remove-references-to -t $out $out/lib/*.a
'' else ''
# If we're building dynamic libraries, then don't install static
# libraries.
if [ -n "$(echo $out/lib/*.so $out/lib/*.dylib $out/lib/*.dll)" ]; then
rm "$out/lib/"*.a
fi
# 'etc' is a separate output on static builds only.
etc=$out
'') + ''
mkdir -p $bin
mv $out/bin $bin/bin
'' + lib.optionalString (!stdenv.hostPlatform.isWindows)
# makeWrapper is broken for windows cross (https://github.com/NixOS/nixpkgs/issues/120726)
''
# c_rehash is a legacy perl script with the same functionality
# as `openssl rehash`
# this wrapper script is created to maintain backwards compatibility without
# depending on perl
makeWrapper $bin/bin/openssl $bin/bin/c_rehash \
--add-flags "rehash"
'' + ''
mkdir $dev
mv $out/include $dev/
# remove dependency on Perl at runtime
rm -r $etc/etc/ssl/misc
rmdir $etc/etc/ssl/{certs,private}
${lib.optionalString (conf != null) "cat ${conf} > $etc/etc/ssl/openssl.cnf"}
'';
postFixup = lib.optionalString (!stdenv.hostPlatform.isWindows) ''
# Check to make sure the main output and the static runtime dependencies
# don't depend on perl
if grep -r '${buildPackages.perl}' $out $etc; then
echo "Found an erroneous dependency on perl ^^^" >&2
exit 1
fi
'';
passthru.tests.pkg-config = testers.testMetaPkgConfig finalAttrs.finalPackage;
meta = with lib; {
homepage = "https://www.openssl.org/";
changelog = "https://github.com/openssl/openssl/blob/openssl-${version}/CHANGES.md";
description = "A cryptographic library that implements the SSL and TLS protocols";
license = licenses.openssl;
mainProgram = "openssl";
maintainers = with maintainers; [ thillux ];
pkgConfigModules = [
"libcrypto"
"libssl"
"openssl"
];
platforms = platforms.all;
} // extraMeta;
});
in {
# intended version "policy":
# - 1.1 as long as some package exists, which does not build without it
# - latest 3.x LTS
# - latest 3.x non-LTS as preview/for development
#
# - other versions in between only when reasonable need is stated for some package
# - backport every security critical fix release e.g. 3.0.y -> 3.0.y+1 but no new version, e.g. 3.1 -> 3.2
# If you do upgrade here, please update in pkgs/top-level/release.nix
# the permitted insecure version to ensure it gets cached for our users
# and backport this to stable release (23.05).
openssl_1_1 = common {
version = "1.1.1w";
hash = "sha256-zzCYlQy02FOtlcCEHx+cbT3BAtzPys1SHZOSUgi3asg=";
patches = [
./1.1/nix-ssl-cert-file.patch
(if stdenv.hostPlatform.isDarwin
then ./use-etc-ssl-certs-darwin.patch
else ./use-etc-ssl-certs.patch)
];
withDocs = true;
extraMeta = {
knownVulnerabilities = [
"OpenSSL 1.1 is reaching its end of life on 2023/09/11 and cannot be supported through the NixOS 23.05 release cycle. https://www.openssl.org/blog/blog/2023/03/28/1.1.1-EOL/"
];
};
};
openssl_3 = common {
version = "3.0.13";
hash = "sha256-iFJXU/edO+wn0vp8ZqoLkrOqlJja/ZPXz6SzeAza4xM=";
patches = [
./3.0/nix-ssl-cert-file.patch
# openssl will only compile in KTLS if the current kernel supports it.
# This patch disables build-time detection.
./3.0/openssl-disable-kernel-detection.patch
(if stdenv.hostPlatform.isDarwin
then ./use-etc-ssl-certs-darwin.patch
else ./use-etc-ssl-certs.patch)
];
withDocs = true;
extraMeta = with lib; {
license = licenses.asl20;
};
};
openssl_3_2 = common {
version = "3.2.1";
hash = "sha256-g8cyn+UshQZ3115dCwyiRTCbl+jsvP3B39xKufrDWzk=";
patches = [
./3.0/nix-ssl-cert-file.patch
# openssl will only compile in KTLS if the current kernel supports it.
# This patch disables build-time detection.
./3.0/openssl-disable-kernel-detection.patch
(if stdenv.hostPlatform.isDarwin
then ./3.2/use-etc-ssl-certs-darwin.patch
else ./3.2/use-etc-ssl-certs.patch)
];
withDocs = true;
extraMeta = with lib; {
license = licenses.asl20;
};
};
openssl_3_3 = common {
version = "3.3.0";
hash = "sha256-U+ZrBDMipgar8Ah+dpmg4DOjf6E/65dC3zXDozsY+wI=";
patches = [
./3.0/nix-ssl-cert-file.patch
# openssl will only compile in KTLS if the current kernel supports it.
# This patch disables build-time detection.
./3.0/openssl-disable-kernel-detection.patch
(if stdenv.hostPlatform.isDarwin
then ./3.2/use-etc-ssl-certs-darwin.patch
else ./3.2/use-etc-ssl-certs.patch)
];
withDocs = true;
extraMeta = with lib; {
license = licenses.asl20;
};
};
}